Read Only Access -Winscp

Latest response

Hi,

I am want to give read only access to few Active Directory users and these can also use WinScp to download anything from Linux to Local drive.

How can I Achieve that without giving them full access.

Responses

Hello Jaskaran Singh,

Your question is quite diverse. Much of the unknown here is the permissions you have for whatever filesystems are presented with the system you are allowing an scp function from windows (I'm assuming windows since you mention Winscp). When one of your authorized users uses winscp to a system you provide, the filesystems they have access to will have whatever permissions exist. This overwhelmingly sounds like a permissions question for when a Windows person lands by winscp to the Linux system you provide. If your permissions are "too generous", then they could execute undesired scp actions (like sending a file to clobber an existing file) and that would not be good for what you describe.

One alternative, you could possibly serve the filesystem through samba, but make it read-only in the samba share. Alternatively you could NFS share it to another system, but read-only and have the people go to the Linux system that mounts that NFS share, but only as read-only. Then when your windows users use winscp to the system that mounts the NFS share, it would be read-only because on the system that serves it would have read only set in the /etc/exports file..

If someone logs in directly into that system, the permissions will be as they are, and it seems from what you've mentioned it is not read-only. We're not clear if it is appropriate for you to change the permissions recursively - that could potentially deny access to those you wish to allow access to. It's hard to know from the limited information.

Perhaps some of what I provided above may help, yet I'm not sure if you have another system to be an NFS share server where you'd mount the filesystem you're talking about as read-only, or if you were to establish a Samba server and only allow read-only access - but those are a couple of thoughts that may or may not work for you after your consideration.

Kind Regards, and welcome,
RJ